Incom Systems | Innovation: Delivered

June 18, 2015

Fwknop is a clever system for authenticated firewall traversal, written by Michael Rash. I like to think of it as port knocking on steroids. All the details are available at https://www.cipherdyne.org/.

One of the more useful applications of fwknop is running it on a router. Watching sshd logs has convinced me that leaving port 22 open to the outside world is an idea best avoided. Fwknop has been available in the OpenWrt project for quite some time, but until recently it has required command line configuration. OpenWrt now has a Luci module to make setup and configuration much easier. Starting with Chaos Calmer rc3 (and already available in trunk), all that is needed is to install luci-app-fwknopd, reboot the router, and then enable the automatically generated configuration. A base64 key and hmac key will be automatically generated, and the rest of the configuration options are automatically populated. Even with a cheap router with only 4 megs of flash storage, there is room for the fwknopd service and interface, as well as the ddns scripts and interface, which is very useful when using a dynamic public IP. I’ve been using the tp-link wr841nd for testing, which is currently available on Newegg for just $20.

Another new part of the Fwknop ecosystem is Fwknop2, now available for free on F-droid and the google play store at https://play.google.com/store/apps/details?id=org.cipherdyne.fwknop2. This rewrite of the Fwknop android client brings support for saving multiple configurations, base64 keys, Juicessh integration, nat access support, and importing keys via qr-code. The OpenWrt Luci interface generates a qr code, and the android app can capture this code to populate the key and hmac key, avoiding the need to enter either key by hand. Fwknop2 is open source, licensed GPLv2.0+, and available on my github page at https://github.com/oneru/Fwknop2.

Using these two programs together, anyone can set up remote access into their home or work network in a secure way, while leaving no external ports open on their router. An example of how these parts work together: